Opened 4 years ago

Closed 3 months ago

#29802 closed New feature (wontfix)

Allow skipping CSRF check for Referer header

Reported by: Aaron Hill Owned by: nobody
Component: CSRF Version: 2.1
Severity: Normal Keywords: csrf, https, hsts, referer
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Aaron Hill)

Currently, Django's CSRF middleware will reject any 'non-safe' HTTPS request that lacks a Referer header: https://github.com/django/django/blob/22e8ab02863819093832de9f771bf40a62a6bd4a/django/middleware/csrf.py#L242

However, some users may prevent their browsers from sending the Referer header, due to privacy concerns. These users are unable to submit 'non-safe' requests (e.g. POST requests) on HTTPS-enabled Django-powered website that use CSRF protection.

For some websites, checking the Referer header may provide no added security benefit. For example, an HSTS-preloaded website which controls all of its subdomains has nothing to gain from this check - there are no untrusted subdomains which can mount an attack, and HSTS prevents an HTTP MITM attack.

To allow these websites to provide more flexibility to their users, Django should support disabling this CSRF Referer check. This could be done through a new setting, e.g. ' CSRF_REFERER_CHECK' (defaulting to 'True' to avoid breaking existing sites).

Change History (3)

comment:1 Changed 4 years ago by Aaron Hill

Description: modified (diff)

comment:2 Changed 4 years ago by Tim Graham

Triage Stage: UnreviewedSomeday/Maybe

Please make your proposal on the DevelopersMailingList as the addition of new settings requires a consensus.

comment:3 Changed 3 months ago by Mariusz Felisiak

Resolution: wontfix
Status: newclosed
Triage Stage: Someday/MaybeUnreviewed

Please first start a discussion on the DevelopersMailingList, where you'll reach a wider audience and see what other think, and follow the guidelines with regards to requesting features. Thanks.

Note: See TracTickets for help on using tickets.
Back to Top